4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
9.3 High
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
73.6%
The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation.
lists.opensuse.org/opensuse-security-announce/2012-07/msg00011.html
lists.opensuse.org/opensuse-security-announce/2012-07/msg00012.html
lists.opensuse.org/opensuse-security-announce/2012-07/msg00013.html
lists.opensuse.org/opensuse-security-announce/2012-07/msg00016.html
osvdb.org/84005
rhn.redhat.com/errata/RHSA-2012-1088.html
secunia.com/advisories/49965
secunia.com/advisories/49968
secunia.com/advisories/49972
secunia.com/advisories/49977
secunia.com/advisories/49979
secunia.com/advisories/49992
secunia.com/advisories/49993
secunia.com/advisories/49994
www.mozilla.org/security/announce/2012/mfsa2012-53.html
www.securityfocus.com/bid/54582
www.securitytracker.com/id?1027256
www.securitytracker.com/id?1027257
www.securitytracker.com/id?1027258
www.ubuntu.com/usn/USN-1509-1
www.ubuntu.com/usn/USN-1509-2
www.ubuntu.com/usn/USN-1510-1
bugzilla.mozilla.org/show_bug.cgi?id=767778
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17056